b'Office\xc2\xa0of\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\xc2\xa0\n\n\n\n     Review of Contract Monitoring\n                   in the\n    Office of Information Technology\n\n               OR10-01\n\n\n\n\n             March 2010\n\n\nFEDERAL MARITIME COMMISSION\n\x0c                                                    FEDERAL MARITIME COMMISSION\n                                                         Office of Inspector General\n                                                        Washington, DC 20573-0001\n\n                                                               March 4, 2010\n\nOffice of Inspector General\n\n\nTO:                          Ronald D. Murphy\n                             Managing Director\n\nFROM:                        Adam R. Trzeciak\n                             Inspector General\n\nSUBJECT:                     Review of Contract Monitoring in the Office of Information Technology\n\nThe Office of Inspector General (OIG) completed its review of the agency\xe2\x80\x99s monitoring of the\ncontract for database design, build and maintenance. Our objective was not to perform a\nthorough review of the contract; rather we focused primarily on contract requirements, oversight\nand deliverables. Over three fiscal years (2007 through 2009) the agency paid the contractor\n$513,000 to build databases and applications that share and process data, provide technical\nadvice and develop technical requirements, and provide system software maintenance. 1\n\nDuring our fieldwork, the OIG learned that the FMC will scale down its existing contract and\ninstead move forward on a new Enterprise Content Management initiative, essentially\nmaintaining the data collected by previous applications, but scrapping the applications\nthemselves. In light of this shift, we present best practices for moving forward with a new\nvendor rather than specific recommendations.\n\n\nBackground\n\nAs part of the annual financial statement audit, the OIG reviewed several large contracts for\ncompliance with regulations and performed select tests to ensure that funds were appropriately\nspent. During this review, we identified one large contract that had obligations for FY07 \xe2\x80\x93 FY09\ntotaling approximately $750,000. 2 Due primarily to the size relative to other procurement\nactions in FY 2009, the OIG selected the database contract for a closer review.\n\nDue to scope and methodology considerations, we did not attempt a thorough review of all facets\nof the contract lifecycle. Rather our focus was to assess agency monitoring of the contract and\nreview deliverables to determine whether the agency received what it expected to receive and, if\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n    \xc2\xa0\xc2\xa0\xc2\xa0Per OIG policy and discussion with the contractor, the OIG is not identifying the contractor by name in the report.\n2\n    \xc2\xa0\xc2\xa0\xc2\xa0With option years, the contract was expected to total $1.35 million.\n\x0cnot, identify the reasons why it did not. We focused on the agency\xe2\x80\x99s activities to establish and\nmaintain the contract. We did not assess the contractor\xe2\x80\x99s performance.\n\nTo collect information for this review, the OIG met with several participants involved in\nselecting, approving and monitoring the contract, to include the contracting officer, the Chief\nInformation Officer (CIO), Contracting Officer\xe2\x80\x99s Technical Representatives (COTR) and\nprogram staff who would be using the database applications to perform mission-related\nactivities. We did not interview the contractor for this limited scope review, however the\ncontractor was provided the opportunity to comment on the draft report. His comments are\nattached in their entirety to this memorandum.\n\nThe FMC uses eleven customized applications to collect and process data. 3 Some of these\napplications are inwardly facing (e.g., only accessible by FMC employees) and others are\noutwardly facing (accessible by public users for submitting their required data via online forms).\nFMC employees use the data from these applications to perform mission-related duties and\nresponsibilities and, on occasion, must print and re-enter the data manually, from publicly\nsubmitted forms, into other applications to ensure consistency among databases.\n\nBecause of inefficiencies resulting when databases are not integrated, the FMC entered into a\ncontractual relationship with the contractor to build databases and applications that share and\nprocess data consistently. Advantages include the elimination of manual data entry and\nintegration among different applications housing identical information, ensuring that updates\nwould occur simultaneously.\n\nThe OIG focused on the agency\xe2\x80\x99s contract for the design and development of agency databases.\nHowever, to fully understand the requirement and deliverables, we also reviewed the predecessor\ncontract for background purposes.\n\nOn April 7, 2005, the FMC awarded a contract to assist the agency to develop a database. Prior\nto this time, the agency was running applications in Microsoft Access on individual workstations.\nFor security and efficiency reasons, the agency sought to move to an enterprise platform\nenvironment with shared database capability among several applications. This database was to\nenhance indexing features and augment online capabilities for end users. In its proposal, the\npredecessor contractor indicated that it would perform the following functions:\n\n       \xe2\x80\xa2      Enhance server performance.\n                 o Ensure there are little or no downtime issues related to server computing.\n       \xe2\x80\xa2      Increase access to data.\n                 o The various applications interface (talk) with each other, thus enabling a user on\n                     one application to send data to another application.\n       \xe2\x80\xa2      Develop security enhancements.\n                 o Agencies must comply with Federal Information Security Management Act\n                     (FISMA) requirements on its information systems.\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n3\n    \xc2\xa0These applications are in various stages of development although all have been placed in production.\xc2\xa0\n\n\n                                                               2\xc2\xa0\n\xc2\xa0\n\x0c    \xe2\x80\xa2   Migrate to Structured Query Language (SQL) server 2000.\n           o When all of the server applications are on the same technology, then the\n              applications should be able to interface with each other.\n\nBased on discussions with CIO staff, the foundation for the shared database and several of the\napplications were laid, but the work was not completed. For reasons unrelated to performance,\nthe predecessor contract was not renewed. Rather, a new contract was awarded on September\n29, 2007, to continue with design and development work begun by the predecessor. This\ntransition was essentially seamless; the two predecessor staff, who worked on the initial contract,\nwere hired by the new contractor at the contract\xe2\x80\x99s inception and assigned to the FMC.\n\nAccording to the Performance Work Statement (PWS), the new contractor would provide the\nfollowing services and products to the FMC (which are listed as requirements in the PWS):\n\n    \xe2\x80\xa2   Design, develop, implement, modify and manage databases.\n           o Ensure that databases would be updated in order for them to be integrated with\n               each other to eliminate manual processes in place.\n    \xe2\x80\xa2   Ensure accuracy and accessibility of data sources.\n           o Ensure that data is accurate across databases and is accessible to multiple users\n               across different applications simultaneously.\n    \xe2\x80\xa2   Plan for anticipated changes in data sources.\n           o Expect that issues or changes subsequent to database integration will occur and\n               processes will be in place to address them timely.\n    \xe2\x80\xa2   Develop, modify or implement new or existing database applications.\n           o Be flexible to meet the FMC\xe2\x80\x99s needs should any of the databases require further\n               development or modifications.\n    \xe2\x80\xa2   Develop database queries.\n           o Provide reporting capabilities once databases have been updated based on\n               queries from the user community.\n    \xe2\x80\xa2   Define and develop user interface requirements and design interfaces.\n           o Ensure that interfaces between databases are defined and developed with data\n               completeness, accuracy and availability in mind.\n    \xe2\x80\xa2   Prepare system flowcharts, standard operating procedures and a quality assurance\n        plan.\n           o Develop flow charts and diagrams once the databases have been designed to\n               ensure that a roadmap of the configuration has been documented for subsequent\n               modifications.\n\nIn September 2007, the COTR responsible for overseeing the initial (predecessor) engagement,\nand development of the PWS for the requirement awarded to the new contractor, separated from\nthe agency. A new COTR was assigned and remains the current COTR.\n\nAccording to Office of Information Technology (OIT) staff, the new (i.e., current) contractor\ndelivered the \xe2\x80\x9cfront end\xe2\x80\x9d of several applications. For example, it developed (and redeveloped)\napplications used in Consumer Affairs and Dispute Resolution Services (CADRS), the Office of\nInspector General (OIG) and the Registered Person\xe2\x80\x99s Index (RPI). As of the completion of our\n\n                                                 3\xc2\xa0\n\xc2\xa0\n\x0cfieldwork, it has not yet completed development of the supporting databases that would allow\ndata collected from these sources (specifically, RPI and Office of Transportation Intermediaries\n(OTI)) to be integrated and searchable for other agency applications.\n\nThe contractor told the OIG that the OTI list uses data from RPI and Form 1. However, the OIG\nnotes that data from Form 18, the online OTI application, is still entered manually almost three\nyears after the electronic form was made available to the industry. According to the contractor,\nthe agency failed to define how to handle the data communication between Form 18 and the RPI,\neven after discussions with program staff.\n\nIn the fall of 2009, the FMC instructed the contractor to cease further development work and to\nfocus on maintenance of the databases. The CIO felt that the two developers were being pulled\nin too many directions (development, maintenance, changes to designs, etc.) to finish the\ndatabase.\n\nAccording to the contractor, it has a contractual obligation to deliver all of the documents\nreflected in its proposal. However, the contractor stated that it is limited by the number of work\nhours provided by FMC to complete these deliverables as FMC determines the daily priorities of\nthe developers. The contractor concludes that the current team cannot produce and maintain\ncode, develop documents and more at the same time. The OIG believes that the contractor raises\na valid point \xe2\x80\x93 and FMC management agrees. It was spread too thin to focus on development\nwork, which was where the expectations of program staff were focused.\n\n\nFindings\n\nSince 2005, the agency has spent just over $1 million (with both contractors) to develop a fully\nintegrated database. Agency needs for data to carry out its missions often cross bureau and\noffice lines; hence the agency\xe2\x80\x99s ability to share data among its program and enforcement staff is\ncritical to meet challenges in periods of scarce resources, i.e., needing to do more with less.\nWhen fully functional, the database would reduce manual processes and enhance document\nprocessing speed and accuracy. Although the current applications utilize similar technical\nspecifications (e.g. SQL \xe2\x80\x93 the necessary foundation for integration), there is little or no\ncommunication between the applications, as of the completion of our fieldwork. 4\n\nRecently the contractors automated the FMC OTI application. Prior to this development, the\nform was completed manually by applicants. While the intent is to download the data from the\napplication form directly into a shared database, this has not yet occurred. Staff in the Bureau of\nCertification and Licensing (BCL) must manually enter information from the automated form\ninto the database. On the other hand, other agency applications have been updated and their\nutility has been enhanced for users of the information.\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n4\n \xc2\xa0\xc2\xa0\xc2\xa0Subsequent to fieldwork completion, OIT informed the OIG that it planned to integrate the applications from the\nstart. But it first needed to upgrade to the new SQL server, a lengthy process that was completed, according to the\nOIT Director, in October 2009.\n\n                                                               4\xc2\xa0\n\xc2\xa0\n\x0cThe question that we rhetorically ask is, \xe2\x80\x9cfive years and $1 million later, is the agency where it\nexpected to be at this point?\xe2\x80\x9d Without exception, staff expected to be further along with the\nintegrated database. During our discussions, we learned of expectations of program staff for a\nfinished product to assist in streamlining work processes for overburdened employees that have\nnot been met. Yet in some instances, the efforts of program staff to add functionality slowed the\ndevelopment process. Further, we were given no assurances that the systems in development\nwere designed to meet federal information security requirements (e.g., FISMA).\n\nThe OIG has identified the following major contributing factors as to why this contract has yet to\nmeet staff expectations:\n\n    \xe2\x80\xa2   Non-specific requirements and deliverables. A proper Performance Work Statement\n        provides vendors with the requirements of the task and the deliverables, i.e., products\n        expected of them. Our review of the PWS found unclear requirements and nonspecific\n        deliverables. Program manager expectations were not met.\n    \xe2\x80\xa2   Applications were placed into production before they were fully developed and FISMA\n        compliant.\n    \xe2\x80\xa2   Contractor status reports lacked specificity that would enable the COTR to recognize\n        potential problems.\n    \xe2\x80\xa2   Technical design changes were made routinely to the front and back-ends of systems,\n        some of which were already in production. Developers were unable to work with one\n        approved design document.\n    \xe2\x80\xa2   Significant time was spent on maintenance rather than development. Systems in\n        production suffered implementation issues that had to be addressed by developers,\n        reducing the time they could devote to completing applications and databases.\n\nEach of these causes is discussed in more detail below.\n\nPWS Clarity\n\nA PWS (sometimes referred to as a Statement of Work) is a work order for the contractor.\nBesides telling the contractor what needs to be done, it enables the government to hold the\ncontractor accountable for the agreed-upon payments. The onus is on the government to produce\na clear statement with understandable deliverables.\n\nThe OIG found that the PWS lacked specificity and clarity. It spelled out requirements in ways\nthat could be interpreted differently. Many tasks could be considered complying with the PWS.\nFor example,\n\n    \xe2\x80\xa2   Develop database queries\n           o (OIG Analysis) It is very difficult to develop database queries when the PWS does\n              not specifically identify or describe the number, frequency, quantity and type of\n              queries. Database queries occur when a user pulls specific data from a database\n              for analysis. That query can be large or small and contain a variety of attributes.\n\n\n\n                                                5\xc2\xa0\n\xc2\xa0\n\x0c       \xe2\x80\xa2      Ensure accuracy of data sources\n                 o (OIG Analysis) Data can come from an array of sources ranging from individual\n                     user input to downloads from another information system. It is hard to ensure\n                     accuracy when the data sources have not been described and explained.\n\nAs a result the contractors were often treated like staff that was repeatedly given direction \xe2\x80\x9con\nthe go\xe2\x80\x9d rather than once at the outset. The contractor told the OIG that it has not received an\ninitial time table or suspend date to deliver a fully integrated database.\n\nThe contracting officer (CO) indicated to us that the initial PWS lacked deliverable specificity.\nThe CO contacted the COTR to discuss but was told that OIT preferred to identify the\ndeliverables in a general rather than specific fashion. The current OIT Director told the OIG that\nhe believes that the deliverables should have been more specific.\n\nThe OIG notes that problems with non-specific deliverables were brought to the agency\xe2\x80\x99s\nattention beginning in March 2002, in Audit Report No. A02-01, Evaluation of Agency\xe2\x80\x99s\nProcurement of the Form FMC-1 System. In the report, we noted that (t)he success or failure of\nprojects are based on the development of the SOW. If the descriptions of the tasks contained in\nthe SOW are deficient, the consequences could result in failure of the project; (and) receipt of\nsubstandard services\xe2\x80\xa6 (p. 5). The report concluded that the Form 1 SOW lacked sufficient\nclarity which impacted performance and contract funding. A similar finding was presented in\nA07-02, Audit of Contracts for Consulting Services, where we noted that the SOW contained no\ndeliverables or timeframes to hold the contractor accountable.\n\nApplications in Production before Completed\n\nA previous FMC chairman made automating many of the agency\xe2\x80\x99s manual systems a priority.\nWhile many other sister agencies had taken advantage of technology to streamline agency work\nprocesses, the FMC still relied heavily on manual systems. Under his leadership, the agency\nmoved forward to automate work processes, including several outwardly-facing applications like\nthe online license application.\n\nSeveral individuals we spoke with said that they felt rushed to push applications into production\nto meet the expectations of the former Chairman. 5 Further, it appears that federally-mandated\nsecurity considerations were ignored when placing these systems into production. As a\nconsequence, the agency is supporting applications that are not FISMA compliant. Moving\nforward, decisions on the timing of placing applications into production must be made not with\nan eye on meeting the expectations of executives but when they are ready.\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n5\n \xc2\xa0\xc2\xa0\xc2\xa0The OIG did not interview the former Chairman to discuss his knowledge of the procurement in question,\nincluding the timing of putting the application into production. We found nothing to suggest that the former Chair\ncompelled staff to rush any applications into production. Nor do we suspect the former chair would have approved\nputting any application into production before it was fully tested and ready.\xc2\xa0\n\n\n                                                               6\xc2\xa0\n\xc2\xa0\n\x0cIn its response, the contractor indicated that the contract does not require it to specifically\nproduce FISMA-compliant products. Further, to fully implement interoperability, FISMA\ncompliance, and document the systems, the contractor stated that more staff is needed.\n\nOversight of Contractors\n\nAs part of administering this contract, the contractor submitted monthly status updates. In the\nOIG\xe2\x80\x99s opinion, those status updates lacked clarity and substance, making an informed review of\nthe contractor\xe2\x80\x99s work difficult. Examples of the information in the status update include:\n\n    \xe2\x80\xa2   Complete overhaul of passport application to let authorized FMC staff administer user\n        accounts (July 2009 status update)\n    \xe2\x80\xa2   Writing a complex database to filter and clean inconsistent database records (March 2009\n        status update)\n    \xe2\x80\xa2   Solving ongoing bugs on Form 1 (service contract transmittal form) (February 2009\n        status update)\n\nIt was difficult for the OIG to discern what the contractors did, based on the \xe2\x80\x9cupdates.\xe2\x80\x9d It would\nhave been much more helpful, had the status agenda included:\n\n    \xe2\x80\xa2   What was the overhaul of the application?\n    \xe2\x80\xa2   What specifically was performed on the database applications?\n    \xe2\x80\xa2   Why was FMC staff not authorized originally to administer user accounts?\n    \xe2\x80\xa2   What specifically was written within the database and what were the filters?\n    \xe2\x80\xa2   Which database records were inconsistent? Why were they inconsistent?\n    \xe2\x80\xa2   What are the ongoing bugs?\n    \xe2\x80\xa2   How long have these bugs caused issues?\n\nSubsequent invoice approvals were made by the COTR without appropriate supporting\ndocumentation to support invoice totals. Had clearer status updates been written, or had the\nCOTR requested a different format, those details could have been reconciled or mapped to\nspecific monthly bills. Further, if fixing ongoing bugs turned into a routine work task for the\ncontractors, this should have necessitated a discussion with the contractor to add staff or modify\nthe contract to add funding \xe2\x80\x93 depending on the cause for the bugs. The supporting\ndocumentation should be directly linked to monthly invoices, line by line, or detail by detail.\n\nThe contractor pointed out that its summary reports are not designed to help the COTR recognize\npotential problems. Rather, their purpose is to document the level of effort of the contract to\nhelp the COTR determine if he is getting what FMC is paying for in the contract. The contractor\nalso responded that it could prepare status reports in whatever format the agency deemed\nnecessary.\n\nWhile the COTR was in close proximity to the contractors, it is likely that he was aware of its\nwork products and performance. The contractor indicated that the FMC management team, not\nthe contractor, controls the developer\xe2\x80\x99s (contractor\xe2\x80\x99s) daily workload. However, the next\n\xe2\x80\x9ccontributing factor\xe2\x80\x9d (see below) indicates, developers were spending large blocks of time\n\n                                                  7\xc2\xa0\n\xc2\xa0\n\x0cmodifying design due to changing requirements. These changes should have been identified on\nstates reports as a way to parse development costs. In other words, the developers were spending\nlarge amounts of time on modifying designs and performing maintenance instead of developing\nthe database.\n\nChanges to Applications throughout Design\n\nSystem plans should be essentially complete prior to design. An occasional \xe2\x80\x9ctweak\xe2\x80\x9d is often\nnecessary but generally designers work better if they have a static blueprint. The OIG was told\nby program and IT staff alike that several meetings were held to discuss database requirements.\nOnce the developers began building the \xe2\x80\x9cfront end\xe2\x80\x9d of some of the applications, significant\ndesign work continued due to changing requirements. This caused delays and reconstruction of\nwork already performed; i.e., waste.\n\nBased on our discussions with staff, it appears that communication between the FMC program\nstaff and the COTR could have been improved. Suggestions for design changes by program staff\nmay not have been understood. More likely, the COTR\xe2\x80\x99s attempts to accommodate program\ndesign changes sent a signal that such changes could be accommodated without much of a\nproblem.\n\nOne technique used by other agencies with success is the Information Technology Steering\nCommittee. This committee would include both IT and program office personnel who discuss\nand approve all changes to major applications. This ensures that both IT and program offices\nrecognize the level of effort and associated costs with design changes. Meetings are\naccompanied by minutes and include documentation of all agreed-upon changes. Formalized\ncommunication would have enabled the program offices to clearly identify expectations\nregarding those applications. Further OIT could have then managed the contractors based on the\nexpected results from the program offices. In an agency the size of the FMC, an alternative to\nthe \xe2\x80\x9ccommittee\xe2\x80\x9d is to appoint one individual that can speak for all.\n\nThe OIG cannot opine on the necessity for any \xe2\x80\x9cmid-course\xe2\x80\x9d changes. We were told by OIT that\nthey resulted in delays and increased contract costs. Moving forward, it is essential that the\nparameters of the product that the agency is purchasing be finalized before development begins.\nThis again emphasizes the importance of clearly defining requirements in the PWS.\n\nFocus on Maintenance\n\nAlthough the applications have been modified and enhanced since the beginning of the contract,\nmost of the work performed is to maintain the applications. After speaking with several FMC\nemployees, we learned that the two full-time contractor employees spent most of their time\nfixing and responding to issues associated with the applications. One example of an ongoing\nissue has been that of encryption. The data submitted by public users is sometimes encrypted.\nThe encrypted data cannot be used as part of database queries due to the state of the data\n(encrypted).\n\n\n\n\n                                               8\xc2\xa0\n\xc2\xa0\n\x0cDue to the wording of the PWS, the FMC had some flexibility to assign the developers where\nneeded. Much of their time was spent on maintenance, without allowing them to develop, for\nexample, a fully integrated Form 18. When the Form 18 \xe2\x80\x9cwent live\xe2\x80\x9d in 2007, staff told the OIG\nthat it expected that the back end, i.e., the database that collects the information, would, in short\norder, be functioning. But three years later, BCL staff is still manually entering information\nfrom forms that applicants submit over the internet. While the applicants\xe2\x80\x99 process may have\nbeen streamlined, the agency\xe2\x80\x99s has not.\n\nThe CIO told the OIG that he recently suspended all development work on the contract and told\nthe developers to focus on maintenance. This decision was made just prior to his decision to\nscrap the existing contract and database design.\n\n\n\nSummary\n\nWhile the OIG did not perform an audit of the contract or assess contractor performance, the\ndocuments we reviewed and the officials we spoke with indicate, clearly, that the agency\nreceived less than it expected in this acquisition \xe2\x80\x93 for a number of reasons. As a consequence,\nthe agency wasted scarce resources. The FMC will be able to keep the data already collected but\nthe applications themselves will be scrapped.\n\nRecently the CIO concluded that the agency\xe2\x80\x99s needs for database design and build can be better\nmet through a commercial off the shelf (COTS) system customized to meet FMC requirements.\nThe system will also be security compliant. While we recognize this was a tough decision to\nmake, it appears to us to be the right decision. The agency was putting itself in a position to\ncontinue throwing good money after bad choices. We believe the money the agency will spend\non the COTS system will end up being less expensive than attempting to address the many issues\nwith the current piecemeal system.\n\nAs of the end of the fiscal year 2009, the agency paid the contractor $512,624, and will continue\nto pay the contractor for maintenance through most of fiscal year 2010.\n\nThe agency is now slated to spend over $200,000 for maintenance of its applications.\nMaintenance should be performed as needed. Many agencies contract out for maintenance and\nmaintenance teams respond when needed. The fact that the FMC is supporting two contractors\nonsite for maintenance means (1) agency applications need constant attention \xe2\x80\x93 which is\nproblematic, or (2) we are not using the developers optimally.\n\nMoving forward, it is important to take steps to ensure that the agency does not find itself in\nsimilar situations as it relies more on technological solutions to enhance its efficiency and\neffectiveness. To that end, the OIG makes the following recommendations.\n\n\n\n\n                                                  9\xc2\xa0\n\xc2\xa0\n\x0cRecommendations\n\nThe OIG turned to best practices in government and the private sector to identify methodologies\nthat have successfully been used to process IT procurement actions:\n\n    1. Routine meetings, especially at the front end of a project, should occur between OIT and\n       the end-users as frequently as needed concerning expectations. These expectations should\n       then be documented in the PWS and contractors should work towards ensuring that the\n       end-users receive an end product that was negotiated for and expected with regards to the\n       contract.\xc2\xa0\n    2. The Performance Work Statement should be based on user requirements. The PWS\n       should be clear, concise, measurable and attainable so that contractors can be evaluated\n       against concrete terms.\n    3. At the outset, identify one individual who will have decision-making authority across\n       organizations and who will be accountable for the interests of everyone involved in the\n       project.\n    4. All status updates submitted by contractors should be signed off by the COTR and\n       reconciled against the expectations documented in the PWS.\n\n\n\n\n                                               10\xc2\xa0\n\xc2\xa0\n\x0c                            Comments to the Final Report\n\nThe OIG prepared two draft reports and the final report. Each report was provided to the\ncontractor for review and comment. Prior to the issuance of the final report, the\ncontractor requested that its comments on each version be attached to the final report in\ntheir entirety. Per discussion with the contractor, we have redacted the name of the\ncontractor in all responses, as the report is not an evaluation of the contractor\xe2\x80\x99s\nperformance but of the FMC\xe2\x80\x99s monitoring of the contract.\n\nThe OIG also provided the Office of Information Technology the opportunity to\ncomment on the draft and final reports. Although several discussions were held with the\nCIO and his staff, management chose not to provide written comments for inclusion in\nthe final report.\n\x0c\xe2\x80\x9c               is an 8a, Service Disabled Veteran Owned, Hubzone, and SDB Information Technology Solutions Provider\xe2\x80\x9d\n                                                                                               January 25, 2010\n\n    To: Adam R. Trzeciak\n        Inspector General\n        Federal Maritime Commission\n       800 N. Capitol Street, Room 1054\n       Washington DC 20573\n\n\n    Subject:                      Comments to FMC OIG Audit Report.\n\n\n    Listed below is more information that may be helpful to your audit. Feel free to call me if you\n    need more detail or clarification on any of the information in my comments.\n\n        1.    As of January 25, 2010,                does not have any Request for Deviation,\n             Waiver, or Cure Notices or Show Cause Letters, or termination notices on the FMC\n             contract.\n\n        2.                      on-site staff personnel are technical personnel with limited managerial\n             responsibility. They are not part of                   management team with oversight of\n             the FMC contract. These employees are not authorized to make any official statements\n             that may negatively impact the contract. In accordance with my contract with FMC all\n             official communication or requests for information must go through the Contracting\n             Officer Technical Representative (Jim Wood) or Contracting Officer (William Alan\n             Dotson). The developers on site do not have total knowledge of the FMC contract. In\n             fact, only             has authorization to answer any official requests for information\n             about                   FMC contract. Please consider this when finalizing your audit\n             report.\n\n        3.    On August 16, 2007,                    developed a Quality Assurance plan with the\n             technical proposal to FMC. The plan is used today by                     to monitor the\n             quality of work products and other factors on the contract. There are no outstanding\n             issues, problems or complaints. Since, 2007, I have only receive two verbal complaints\n             from Jim Wood and both were resolved within 24 hours. I repeat, as of today,\n                        does not have any Request for Deviation, Waiver, or Cure Notices or Show\n             Cause Letters, or termination notices.\n\n        4. The following is not a true statement from the audit report, \xe2\x80\x9cHowever, it did not complete\n           development of the supporting databases that would allow data collected from these\n           sources to be integrated and searchable for other agency applications.\xe2\x80\x9d\n\n             The following statements explain why the above statement is not true. Any of these\n             applications can use data from any of the database in the agency. All the back end\n             database structures are developed and they are available for any of the systems who need\n             them. Furthermore, here are a few more points:\n\n             a) \xe2\x80\x93        didn\xe2\x80\x99t only develop a \xe2\x80\x9cfront end\xe2\x80\x9d application but also developed all the back\n             end databases and table relations and as of now         maintains 15 databases with\n             around 300 tables.\n\x0c     b) \xe2\x80\x93 CADERS and OIG are standalone applications that help end users to file and follow\n     up complaints. None of the other agencies\xe2\x80\x99 systems need data from those systems, and if\n     they need, it is available.\n\n     c) \xe2\x80\x93 RPI application was a database maintained in Dbase in one flat file. Now the data is\n     cleaned, the tables were normalized and migrated to SQL server 2005. Users of RPI can\n     search from all RPI tables and all the table fields via custom made query builder. Users\n     can build their own query and get the results on the grid, and users also have the option to\n     download the result with Access or Excel file for further data analysis.\n\n     d) \xe2\x80\x93 the OTI list uses data from RPI and Form1 and that is how it is built to work now.\n     Using SQL Business Intelligent Development and SSIS the OTI list is automated to use\n     data from the two different tables (RPI and Form1). The database and table structure we\n     maintain allow any system to customize and use data from any of the agencies databases.\n\n5. Since there was no documentation received from the                                   we\n   have developed several internal flowcharting diagrams that are used to help with problem\n   solving.\n\n     In May 2008,                    developed and delivered the following documentation to\n     FMC. The documents were not returned for any reason for revision, therefore they were\n     by default determined to be acceptable.\n     a. FMC Technical Design Document (Form 78 and 83).\n     b. Business Rules and Program Specifications for Form FMC-78 (data dictionary)\n     c. FMC Form 18 User Guide\n     d. Six Database Schemes\n\n6.                      does not provide daily operational control over the on-site developers.\n     The FMC management team controls the developers\xe2\x80\x99 daily workload. This work\n     agreement allows the CIO great flexible to easily change the direction of the contract at\n     anytime.                     management team provides contractual, administrative, and\n     limited quality assurance oversight.\n\n7. FMC has a very complex Information Management System that consider of 13 databases\n   and application. It is not a simple task to convert flat file to integrated file and\n   standalone application to online application that share data. True interoperability requires\n   a lot of intelligence of the men and women to make it happen. We are a lot closer then\n   we were in 2007.\n\n     Please take into consideration that the on-site developers work very hard every day to\n     maintaining a production system and complete development assignments at the same\n     time.\n     To fully implement interoperability, FISMA complaint, and document the systems more\n     staff is needed. Hence,                     submitted an unsolicited proposal to FMC on\n     November 5, 2008 to increase the staff temporarily to help increase productivity.\n\n8. The                      Summary Reports are not designed to help the COTR \xe2\x80\x9crecognize\n   potential problems.\xe2\x80\x9d The purpose of the Monthly Summary Report is to document the\n   level of effort of the contract, to help COTR determine if he is getting what FMC is\n   paying for in this contract.                   is prepared to make any adjustments to the\n   report as need. However, the instructions must come from either the COTR or CO.\n                                                        understands that FMC\xe2\x80\x99s Quality\n   Assurance Surveillance Plan is used to monitor the contract. Since 2007, I have\n   conducted quarterly reviews of the progress of the contract with Mr. Jim Wood. And, I\n   repeat for a third time; as of today,                 does not have any Request for\n   Deviation, Waiver, or Cure Notices or Show Cause Letters, or termination notices.\n\x0c   9. If any application was \xe2\x80\x9crushed into production\xe2\x80\x9d it was authorized by FMC not\n                . The FMC program management team determines when an application is\n      placed into productions. This contract does not requirement                     to\n      specifically produce any products that are FISMA compliant. However, the two\n      developers will follow the instructions of the FMC project management team while\n      developing applications and databases. If, FMC wishes to amendment the contract to\n      allow                    to officially provide the FISMA direction, we are ready to assign\n      the appropriate security specialist with that skill set. However,                 has\n      developed an online application that provides a single password to access all applications.\n\n   10. Here are few more facts about what                     has done since 2007:\n\n\n\n\nThis report was prepared by             . If there are any questions please call me directly at\n                      .\n\n\n\n\nCEO,\n\n\n\n               Email:                        -com, web site: www.c            .com\n\x0c                    An Information Technology Solutions Provider\n\n                                                                             February, 4, 2010\n\nAdam R. Trzeciak\nInspector General\nFederal Maritime Commission\n800 N. Capitol Street, Room 1054\nWashington DC 20573\n\nSubject:                    Comments to Mr. Trzeciak Audit Report.\n\n                 has a contractual obligation to delivery all of the documents reflected in\nour bid. However, we are limited by the number of work hours provided by FMC to\ncomplete these deliverables. FMC determines the daily priorities of the developers.\n\n                    developers follow FMC\xe2\x80\x99s procedures and processes in the performance\nof their daily duties. FMC does not use/follow the standard Software/System\nDevelopment Life Cycle (SDLC) process.\n\nFMC does not have the standard Development, Testing and Production system\nenvironments. Because these three platforms are not available the developers have to\nensure all development code is error free as much as possible. Because they are subject\nmatter expert this gives them the ability to provide a high degree of accuracy. The two\n                    developers are expert with years of experience and are highly educated\nand knowledgeable in their field of expertise.\n\nAt Project initiation, the developers meet with the customer, who has the requirement and\nthe FMC Program Management Team to identify key items (screen captures, database\nstructures, and etc) needed to develop the plan of execution. The developers are given the\nplan of execution via email from FMC Program Management Team. The document may\ncontain all of the information needed to initiate a project. Then the developers will create\nsystem flowchart if needed that will be used to help them understand the problems. If\nneeded, the developers will also interview the customer to collect more information.\n\nFurthermore,                    has developed User Guides for Form 18 and RPI. And,\nForm 18 is available today, online for the customers.                 received\ndocument routine maintenance procedures via email from FMC Program Management\nTeam. We then execute the routine maintenance in accordance with those instructions.\n\nAll the tables inside the 15 databases are normalized and they are relational databases.\nSix of the databases have database schemas and we are currently working on the\ndocumenting remaining nine databases.\n\x0cFMC does not have a Configuration Management Board and have not requested any\nconfiguration management documents.\n\n                 is prepared to complete any documentation that is requested and in\naccordance with the contract. In addition,               requested that FMC Program\nManagement Team set aside hours to complete the some documents. In 2009, I met with\nFMC Management Team to set aside 10 hours a month to help with documentation.\nHowever, we were not able to obtain an implementation scheduled; so that those 10 hours\nwould be used to work on specifics documents.\n\nThe team is ready to complete any contractual deliverables but the FMC Program\nManagement Team will have to make it a priority. The current team cannot produce and\nmaintain code, develop documents, and more at the same time.\n\nIf one of FMC\xe2\x80\x99s goals is to follow the standard SDLC then more staff is needed to meet\nthe demand of documenting the process. In January 2010, I met with the COTR about\nthis subject and he informed me that they may be planning to strength the\n           team so that we are able to implement more features/functions of the SDLC\nprocess.\n\nIf you have any questions please let me know.\n\nThanks,\n\n\n\n\n                  \xc2\xa0\nwww                .com\xc2\xa0\nSBA\xc2\xa08(a),\xc2\xa0SDB,\xc2\xa0SDVOB,\xc2\xa0HubZone,\xc2\xa0and\xc2\xa0VIP\xc2\xa0\n                         \xc2\xa0\n                 \xc2\xa0\n                 \xc2\xa0\n\n\n\n\n            Office:              Direct Line:               Fax:\n             Email:                             web site:\n\x0c                  Final Comments                                          March 1, 2010\n\xc2\xa0\n\n                                               Final Comments\n                                     Dated: March 1, 2010\n                                 Prepared by             CEO\n\n                   is a service disabled veteran owned Information Technology Company with\nexcellent qualification in software development. We are currently implementing industry best\npractices in our development and maintenance efforts under that direction of the Government.\nThroughout the two years and three months we have been on this contract we have made several\nrecommendations for improving the systems. Some of those recommendations have already\nbeen implemented.\n\nNow, my final comments about OIG Audit findings;\n\nSince this is a review of                     contract at FMC, hence the title of the review, \xe2\x80\x9cOIG\nReview of           \xe2\x80\x9d. I need your help, if you are willing please consider limiting the review to\n                   contract performance period. I am not responsible for anything that occurred\nbefore October 1, 2007 and for the work that was completed by .              should not be part of this\nreview. Your statement, \xe2\x80\x9cSince 2005, the agency has spent just over $1 million (with          and\n       ) to develop a fully integrated database\xe2\x80\x9d and \xe2\x80\x9cfive years and $1 million later\xe2\x80\x9d are not true\nwhen reviewing                        contract.\n\n                  has been on the FMC contract for two years and three months.\n          did not start until Oct 1, 2007. The process of integrating all of the applications and\ndatabases without an enterprise architecture design is very difficult, costly, and will take longer\nthan 2 years and 3 month. Also,                      did not receive an initial time table or\nsuspend date to deliver a fully integrated database from the Government.\n\nAlso your comment that the agency paid           $513,000 to build databases and application\xe2\x80\x9d is\nnot totally accurate. FMC paid                    to do a lot more than build database and\napplication. We provided technical advice, collected technical requirements, designed,\ndeveloped, tested, documented, integrated, implemented database and application, and provided\nsystem software maintenance. We do a lot more than \xe2\x80\x9cbuild databases and application\xe2\x80\x9d for\n$513,000.\n\n                  is not spread too thin to focus on development work. Our two developers are\nexperts and are available to focus on any work assignments given to them by the FMC\nManagement Team. The team for two years has developed databases and application, provided\nsome documentation, and maintained all of databases and applications at the same time. The\nGovernment determines the allocation of man-hours.\n\n\n                                                  1\xc2\xa0\n\n\xc2\xa0\n\x0c                       Final Comments                                   March 1, 2010\n\xc2\xa0\n\nThis summary shows software development life cycle at FMC. The agency as of now doesn\xe2\x80\x99t\neven have a separate development, testing and production environment.                     does\neverything on a single computer and goes live to production without a proper testing\nenvironment. Most maintenance, upgrade and changes happen on the live application and live\ndata which involves a tremendous amount of risk.                   has been adjusting itself\nwithin the environment to provide the solution the agency needs upon request on timely manner.\n\n          Life cycle                           Key task                           % of the total\n\n                                                                                 project life cycle\n\nAnalysis and Design            \xe2\x80\x90   understanding user requirement                       20%\n                               \xe2\x80\x90   meetings, document review\n                               \xe2\x80\x90   prototyping proposed solution\n                               \xe2\x80\x90   designing database schema\n                               \xe2\x80\x90   Designing user interface\nCoding &                       \xe2\x80\x90   Code generation                                      50%\n                               \xe2\x80\x90   Database development\nDevelopment                    \xe2\x80\x90   Report generation\n                               \xe2\x80\x90   Query building\n                               \xe2\x80\x90   Data/file encryption\n                               \xe2\x80\x90   Stored procedures\n                               \xe2\x80\x90   SSIS packages\n                               \xe2\x80\x90   Web services\n                               \xe2\x80\x90   Script writing\nTesting                        \xe2\x80\x90   Unit and system level testing                        15%\n                               \xe2\x80\x90   Security testing\nDeploying                      \xe2\x80\x90   Accessibility testing\n                               \xe2\x80\x90   Configuration and deployment\nDocumentation                  \xe2\x80\x90   User manual\n                               \xe2\x80\x90   Database schema documentation\nIntegration and                \xe2\x80\x90   System maintenance, scope redefine                   15%\nMaintenance                    \xe2\x80\x90   Upgrades\n                               \xe2\x80\x90   Additional functions\n                               \xe2\x80\x90   User support\n                               \xe2\x80\x90   Indentifying and recommending\n                                   integration requirements\n                               \xe2\x80\x90   Database maintenance\n                               \xe2\x80\x90   Handling on demand requests\n\n\nOn page 5, the following is not a fair statement, \xe2\x80\x9cWe were given no assurances that the systems\nin development were designed to meet Federal information security requirements (e.g.,\n\n                                                  2\xc2\xa0\n\n\xc2\xa0\n\x0c                  Final Comments                                        March 1, 2010\n\xc2\xa0\n\nFISMA).\xe2\x80\x9d FMC has not completed an assessment of the production systems. Without an\nassessment report it is impossible to determine what has or has not been developed to meet\nFISMA compliance. FMC\xe2\x80\x99s System Security Officer (SSO) or Information SSO (ISSO is\nresponsible for implementing and assessing FISMA compliance. The comments I made earlier\nabout                     development effort for FISMA compliance requiring a FISMA\nspecialist was in response to FMC not having the resources to provide the required skill set.\n\nOn page 6, \xe2\x80\x9cEnsure accuracy of data source\xe2\x80\x9d; your answer to this bullet comment does not\ncorrectly address the task.                   is not responsible for individual users inputting data\ninto the \xe2\x80\x9carray of sources\xe2\x80\x9d. What                     does through our design and development of\ndata entry screens is to help reduce data entry errors (ensure accuracy) by implementing input\nmasking techniques to help guide the individual to help ensure accuracy of the inputted data,\nhence, helping to \xe2\x80\x9censure accuracy of data source.\xe2\x80\x9d\n\nOn page 7, \xe2\x80\x9cOversight of Contractors\xe2\x80\x9d\n\nAll of the Status Reports submitted to the Government have been accepted. The COTR is part of\nthe FMC Management Team that oversees the two developers\xe2\x80\x99 day-to-day assignments,\ndetermines the priority of the two developers, and oversees the FMC Project Manager for all\nFMC systems. Therefore, the COTR is fully aware of what has been achieved in any given time\nperiod on the contract. However, more detail about each task may be needed for outsiders, but\n                   Status Report would not be the only input to brief the outsiders. For example,\nas you the \xe2\x80\x9cAuditor\xe2\x80\x9d read this report can easily come to the conclusion that the Status Report\nneeds more information because it is not a full detailed report. However, if you wish to receive\ndetails on any task the COTR will be able to provide the detailed information using the Status\nReport as one of his sources. The Status Report is a summary document. The COTR will have\nthe answers to these questions on page 7 not a Contract\xe2\x80\x99s Status Report. However, it is a\ndeliverable of our capabilities of providing the answers to some of these questions on page 7.\n\nOn page 9, \xe2\x80\x9cAnother issue is that of outages\xe2\x80\x9d. \xe2\x80\x9cIn one instance, at least one server (SRVCON)\nwas inoperable for three working days. Please if you are willing, consider removing this\nstatement because                    is not contracted to maintain the hardware.\n\nThe following comments are in response to comments made on page 4.\n\nEvery IT project has scope definition when they are initiated. When           received the RPI\nproject, the requirements were to convert the existing database application to the most current\nweb technology and SQL server. Besides addressing this requirement              has been working\nforward on the system to allow users to run dozens of static and dynamic reports, allow users to\ndownload a number of databases and tables via access and excel format and allow users to build\ntheir own search query and search all existing RPI database tables to satisfy the ever growing\n\n                                                 3\xc2\xa0\n\n\xc2\xa0\n\x0c                  Final Comments                                      March 1, 2010\n\xc2\xa0\n\nuser need.         developed RPI front-end and back-end application including data cleanups\nand data migration support from the old database technology to the new SQL server\nenvironment, user accesses and permission management and many more functionalities are part\nof RPI. RPI maintain its own database and the application helps users to enter, edit, download,\nsearch and run reports from the database.\n\n\nWhen Form18 was initiated, the requirement to download the data from the online application\ninto the database was achieved day one. Form18 maintained its own database and its own table\nstructure. All online OTI applications (Form18) were directly collected from Form18 database\nand all attached supporting documents and application data are organized and stored in the\nnormalized SQL server database which allows the agency to extract, run queries and search the\nrecords. No one retype online submitted Form18 application into Form18 database. But why is\nthe application submitted to Form18 not showing up in RPI database?\n\n\n\nRPI & Form18 come to the project queue as separate stand alone applications.            identified\nthe relationship between not only the two applications but with Form1 and ServCon as well.\n         recommended having Enterprise level Architecture design throughout the agency and\npossibly having a Master Database rather than duplicating records from one application to the\nother. This will give the agency the opportunity to have a centralized shared architecture with\nclearly stated business rules. Even to this day, in our meeting with BCL and Momentum, BCL\ndidn\xe2\x80\x99t clearly define how to handle the data communication between Form18 and RPI. It is not\nyet clear how to assign organization numbers in RPI (since all organizations need a number in\nRPI) when there is change of organizational structure, when the organization is sold, or absorbed\nfully or partially by another company. Without defining the basic requirements for each scenario,\nit would be hard to satisfy all the needs.\n\nAs a prototype          developed Passport databases that managed user profile and user accounts\nto allow all online users to use one user account for all FMC online applications. As of now\nform18, Form1, and ServCon share the same data from passport databases to authenticate their\nusers. Previously every application maintains their own account, which creates inconstancy by\ninsisting users have three different account profiles for each application.\n\n\n\n\n                                                4\xc2\xa0\n\n\xc2\xa0\n\x0c                 Final Comments                                    March 1, 2010\n\xc2\xa0\n\nBellow is the overall database diagramed I showed on our meeting with OIT in 2007 to\nrecommend data synchronization.\n\n\n\n\n                                               \xc2\xa0\n\n\xc2\xa0\n\x0c'